WIXLIB

WANG et al.: ENABLING SECURITY-ENHANCED ATTESTATION WITH INTEL SGX FOR RT AND IoTcommunication channel. A challenger can attest RT trustin a secure environment.2) We present policy-based measurement mechanism.Administrators can collect and monitor the runtimestatus through the custom measurement policy, whilethe policy will be protected by the Software GuardExtension (SGX) seal key.3) We implement RT attestation service for the first timeon real physical platform with Intel Skylake processorrunning Linux. Furthermore, the performance is evaluated and the results show that the additional overhead istrivial.The remainder of this paper is organized as follows.Section II provides some background information relating toour system including problem description, the threat model andIntel Software Guard Extension. Section III provides a systemoverview. Section IV introduces the design of secure isolation.Section V describes our policy-based measurement mechanism. Section VI shows the security-enhanced attestationprocure. Section VII describes the implementation and evaluation of our prototype and presents the results and analysis.Section VIII shows some related work. Section IX concludesthis paper.II. BACKGROUNDA. Problem DescriptionThe trust of terminal devices is critical to enterprise networks because they are vast and vulnerable to attacks. Theremote attestation mechanism of TCG can report the environment fingerprint of devices to attesters so as to validate theidentity and the trust status of attestees. However, TPM-basedattestation cannot protect the attestation program from tampingwith and leaking sensitive information in runtime execution.ARM TrustZone can also be used to implement attestation ofdevices, but the transfer process from secure world to normalworld and the trusted API of TrustZone service are vulnerable to attacks. Furthermore, attestation program protected byTrustZone may be threatened if one of programs in secureworld has security weaknesses since all of protected programsrun in the same isolated memory region.Aiming at the challenges above, we propose SGX-basedattestation service that can achieve security-enhanced attestation service. Our approach separates attestation service intountrusted module and trusted module. Meanwhile we isolatestrusted attestation modules to different enclaves so that protecting the security of attestation program. We also presentpolicy-based measurement. Challengers can send its measurement policy to attested entities. Attestation program willcollect the measurement values of remote devices according tothe measurement policy, sign and send them to the challengers.After validating the identity of the measurement values, theattesters will compare the measurement result with the baseline value which is collected in a clean state of the attestedplatform. If the measurement value matches the baseline value,we can determine that the attested platform is trusted otherwiseit is untrusted. In the attestation procedure, we uses SGX quoteoperation to implement the signature of measurement values.89B. Threat ModelWe follow the assumptions in the SGX model, where theprocessor is trusted and has not been tampered with. Weallow the adversary to carry physical attacks on the system,such as modifying memory and changing I/O signals. Wealso assume that enclave programs are trusted and other programs in the system, including the BIOS, OS, and VMM areuntrusted. We also assume the certificate authority (CA) to betrusted. However, adversaries can control the system outsidethe enclave, such as inserting malicious software in the system, and changing configuration parameters. In addition, theadversary may monitor and control network communicationand will further attempt to impersonate the RT as to attemptto defeat server-side validation.Note that we do not consider distributed denial of serviceattacks and side-channel attacks such as timing attacks, cachecollision attacks because that type of attacks can be mitigatedby current defense mechanisms [14]–[16]. In addition, otherside channel attacks, such as power analysis, require hardware modifications, and are ultimately a limitation of ourapproach.C. SGXThe SGX by Intel Corporation was announced in Q1 2013as an extension to the x86 64 instruction set architecture. Itprovides a way for applications to secure a portion of itsaddress space and place data and code within this container.Intel calls this container an enclave. There is no set limit tothe number of enclaves a process can own. Furthermore, it isimportant to notice that a process is strictly limited by the hardware in directly accessing the enclave’s contents, whilst theenclave is free to access any portion of the process’s memory.SGX assumes that everything on a system with the exception of the processor can be compromised. That is, OS, drivers,BIOS, hypervisor, and system management mode are untrustworthy. As such, any secrets in an enclave remain protectedeven when the attacker has full control of the computer system.Code and data within the enclave is encrypted and cryptographically signed as to ensure its secrecy and integrity. Theboundary of the security mechanism is the CPU package itself.Enclave code and data inside the CPU remain unencrypted.If this code or data is ever to leave the CPU package, it isencrypted and cryptographically signed. If a portion of anenclave is to enter the CPU again, it is decrypted inside theCPU after the integrity checking. This mechanism preventsbus sniffing, tampering with memory and cold boot attacksagainst an SGX-enabled system.1) Enclaves: Enclave is a protected container for sensitivedata and code [17]. SGX allows applications to be specifiedthe trusted part and untrusted part. The code and data sectionsof trusted part need isolated protection. It is not necessary todo extra works on data or code before creating an enclave,but the data and code must be measured when loading intoan enclave [18]. Once the protected part of an applicationhas been loaded into an enclave, SGX protects them fromexternal software, no matter it is a malicious program or justa normal one.

90IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 1, JANUARY 2018Data in memory is vulnerable to probing and malicious tampering. For example, memory leak attacks can potentially leaksensitive data from the system. Although solutions such as fullmemory encryption [19] or oblivious memory [20] have beenproposed, these systems are not deployable in practice withoutconsiderable change. Furthermore, not all portions of memorycontain sensitive information. Intel SGX opts by providing aspecial memory location, called the enclave page cache (EPC),where code and data from the enclaves is kept [21]–[23]. SGXalso defines a security boundary on the CPU package itself.Any enclave-related data or code leaving the CPU is encryptedby a memory encryption engine (MEE) and kept in the EPC.When enclave code or data enters the CPU, the MEE decryptsit. Consequently, an attacker can only obtain ciphertext byleaking enclave code or data from outside the enclave.Code outside an enclave has no access to the data inside,and code inside an enclave can only access the data and codebelongs to the same enclave. For the memory space outsidethe EPC, the memory access mechanism has no differencewith the normal. Such a memory protection mechanism, notonly prevents the data inside an enclave from being tappedor tampered by malicious software, but also forbids the codeinside an enclave to get data from other enclaves.When a process terminates, its enclave instances aredestroyed and the data and code it holds will disappear. Topreserve some secret data in an enclave for future use, SGXoffers a sealing function. Sealing can encrypt the data insidean enclave and store them on a permanent medium such as ahard disk drive, so the data can be used the next time. Whensealing data, there are two options available: sealing to thecurrent enclave using the current version of the enclave measurement (MRENCLAVE) or sealing to the enclave author usesthe identity of the enclave author (MRSIGNER). In this paper,we use both mechanisms.2) Attestation in SGX: In Intel SGX, attestation is theprocess of demonstrating that a piece of software has beenauthenticated on the platform and is being protected by anenclave [21]. Once an enclave is loaded, it is safe for a thirdparty to communicate sensitive data to it. To achieve this goal,platform needs to supply third party with a credential whichreflects its enclave security information and enclave signature.SGX supports two kinds of attestation, local (intraplatform)attestation and remote (interplatform) attestation. Local attestation is designed for enclaves on the same platform. When theattestation process completes, a secure session is establishedbetween two enclaves and they can call function and get datafrom each other. Remote attestation is a mechanism designedfor the attestation between an enclave and a remote (not inthe same platform) party. A remote challenger can get enclaveinformation and platform security state through this process,then it will decide whether the enclave and the platform aretrustworthy according to its local security configuration.In the process of local attestation, an enclave asks hardware to generate a credential, known as a report, and sendthis report to another enclave on the same platform which canverify this report. An enclave report contains the followingdata: measurement of the code and data in the enclave, a hashof the public key in the independent software vendor (ISV)certificate, user data, other security related state information,and a signature block over the above data.For remote attestation, an application can also send anenclave report to a quoting enclave to produce a type of credential that reflects enclave and platform state. This credentialis called quote which is signed with an EPID private key [22].Quoting enclave is an Intel provided enclave, which can process enclave report and convert report into enclave quote. Onlythe quoting enclave has access to the Intel EPID key. Thequote is a data structure used for remote attestation and itsmain content is the same with report.This quote can be passed to entities on another platform forverification. A quote includes the following data: measurementof the code and data in the enclave, a hash of the public key inthe ISV certificate, the product ID and security version number of the enclave, attributes of the enclave, user data and asignature block over the above data.III. S YSTEM OVERVIEWOur main goal is to achieve the trusted remote attestationof RTs and IoT devices by using the SGX technology. Theproposed solution can prevent against security threats duringremote attestation and monitor the runtime status of the RT,so as to detect it in real time and eliminate the possible risksof tampering in the RT.A. Design OverviewThe idea of our system revolves around sensitive modulesduring remote attestation being isolated into enclaves. Thesensitive modules include the measurement module, the keystorage module, the verification module of the server side, andthe session module. The enclave can provide isolation for thesemodules and sealing storage for keys so as to prevent attackers,including malicious insiders, from tampering with programs orstealing keys and other sensitive information. When the critical status or configurations of attestees have been modified,it will be detected immediately by the attestation server andthen the attesters can judge whether the terminals are trusted.Administrators can also take relevant measures to control theterminal. For example, they can recover the tampered dataor disable the terminal to access the high-security servicesand even temporarily disable access to the enterprise internalnetwork.As shown in Fig. 1, the system is composed of remote attestation server (RAS), RT, and CA. The RAS is the verifier forremote attestation and the RT is the prover to be verified.The hardware of each side should support SGX. To preventmalicious attackers from tampering the attestation process andeavesdropping attestation results, we put main modules of oursystem into secure enclaves, such as the transport layer security (TLS) module, the measurement module, the attestationservice, and the verifying module. We also use the sealingstorage of SGX to protect the critical keys and security policies in the process of attestation. The main process of thesystem is described as follows.1) RAS and RT start the TLS service and attestation service. The services are then called into the respective

WANG et al.: ENABLING SECURITY-ENHANCED ATTESTATION WITH INTEL SGX FOR RT AND IoTFig. 1.2)3)4)5)6)91Design framework of attestation.enclave to be executed. TLS service and attestation service generate a private–public key pair and request theCA for issuing the public key certificates. The privatekey is sealed by the Sealkey which is generated in thecorresponding enclave based on the public key of signer.The attestation service of RAS challenges the RT fortrusted verification.The attestation service of RT calls the local TLS serviceto build the security session channel with RAS and thensends its attestation public key to RAS.The attestation service of RAS sends the trusted verification policy to RT through the security channel. Thispolicy is encrypted by the public key of RT.In the enclave, RT decrypts the policy and calls the measurement program to detect the system according to thepolicy. RT quotes the measurement results and the listof measurement and then sends the results to RAS.RAS verifies the signature and compares it with thebaseline values stored in the server. If the result is thesame as the baseline value, it verifies that the terminalis trusted.B. Trust Policy ModelIn our system, the trusted policy determines the informationthat needs to be verified in the remote attestation process. Thetrusted policy includes a policy of integrity checks, the systemenvironment, and configuration information. The integrity policy defines which modules in the system need to be verified.The system environment includes the version of the systemand kernel, the main information of devices, and a list ofcritical programs in the system and their version numbers.The configuration information includes password policies, service settings, and user settings. We obtain a baseline valuefor the system information on the first controlled run of thesystem by using the trusted policy to train the attestationmodel. Baseline values can also be obtained in a different way,such as detecting the system for this data using a speciallycrafted program. In our system, we provide a Web interfacefor administrators. Therefore, the trusted policy of terminalcan be customized by the administrators and be sent to theterminal. The system also allows the administrators to modifythe trusted policy.IV. E NFORCING S ECURITY I SOLATIONAs we mentioned above, our remote attestation system iscomposed of an RT, an RAS, and a CA. In the following,we describe the key components of our system and analyzethe detailed construction of each modules. To prevent malicious attackers tampering and to protect the communication,the security of the storage, and keys the key module of theRAS and RT should be isolated and sealed.A. Remote TerminalAs shown in Fig. 2, RT is divided into four modules, including TLS service module, attestation module, measurementmodule, and untrusted modules.TLS service module, being responsible for generating keysand obtaining certificates, is further divided into the keys part,the decryption and encryption part, and the network communication part. The keys part generates asymmetric key pairsfor communicating with RAS, and communicates with CA toobtain the necessary public key certificates. Once the certificates have been obtained, the keys part of the module willexchange the certificates information and negotiate a sessionkey with RAS by means of network part. This session key willbe utilized by attestation module and measurement modules.In order to protect the integrity and confidentiality of privatekey and certificates, the keys part are hosted inside an SGXenclave. Encryption and decryption operations, which associated with the session key and performed by encryption anddecryption part, are also hosted inside of an SGX enclave to

92Fig. 2.IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 1, JANUARY 2018Isolation design of RT.guarantee the confidentiality of the session keys. The untrustednetwork communication part is responsible for the transfer ofdata between RAS and CA.The attestation module provides keys generation and signing functionality and is divided into two parts. Due to theirnature in confidentiality, these parts are run inside enclaves.Different from the keys part of TLS service module, this oneis used to generate a key pair to prove its identity in remoteattestation process. During attestation process, signature partuses the private part of their key to sign the measurements.After receiving the policy file and data from RAS’s attestationmodule, the signature part uses RAS’s public key to verify itsidentity and then transfers it to other modules according to theprocess.In measurement module, the policy analysis part parses thepolicy file and generates a checklist. To ensure confidentiality of the policy file, it runs inside an enclave. The messagegathering part runs partially within enclave, while other partsrunning outside due to the invoked system calls. The policyfile is sealed inside the enclave and stored on disk.B. Remote Attestation ServerAs shown in Fig. 3, RAS consists of four modules, includingTLS service module, attestation module, verification module,and the untrusted module. Corresponding to RT’s TLS servicemodule, RAS’s TLS service module are also hosted insidean SGX enclave after the system is booted. This module isresponsible for generating RAS’s key pair and communicatingwith CA to obtain the public key certificate. After obtaining thecertificate, it will communicate with RT to exchange the certificate and the negotiated session key. For function independentconsideration, attestation module can be divided into keys partand signature part. After receiving the measurement from themeasurement module, the signature part uses the RT’s publickey to verify the signature of the measurement and transfersit to the verification module. Also, in attestation process, theFig. 3.Isolation design of RAS.signature part uses its own public key to sign the policy andother data to prove its identity.The policy part and the comparison part, which are the keycomponents of verification module, cooperate in measurementprocess. We designed the Web part for users to define thepolicy which will be translated as policy file by the policypart. After receiving the measurement from RT, the comparison part compares RT’s measurement results to the local dataand provides feedback to the Web part. All the policy file andmeasurement results should be sealed inside the enclave andstored in disk.V. M EASUREMENTThe measurement module is used to collect system mainproperties according to the measurement policy. The policywill be sent to RT from attestation server. Once terminal hasreceived measurement policy, it will launch measurement programs into an enclave to obtain the required system information. The measurement generally includes system information,security policy, running status, and system integrity policies.System information consists of operating system version,kernel version, devices information, and installed applications.Security policies can be used to collect secure configurationabout authentication, access control and security audit to measure the status of the system security policy. For example, forauthentication, we gather and check user names as well asthe policy of password validity and complexity. Also we canobtain the access control policy to check whether the systemconfiguration meets required configuration values. In addition,the security audit policy can be collected to make sure thesecurity audit is enabled and the audit policy is correct.In order to monitor malicious behaviors, the measurementmodule is designed for detecting system’s running status,such as running processes, opened services, and opened ports.Moreover, the integrity of the system boot will be measured.The integrity values of system boot can be sealed with SGX

WANG et al.: ENABLING SECURITY-ENHANCED ATTESTATION WITH INTEL SGX FOR RT AND IoT93key. However, currently enclaves can only be created and initialized in kernel mode, but they cannot be allowed to beentered in the kernel mode. Hence, we need to invoke theenter instruction in user mode and then return to the kernelmode.VI. S ECURITY-E NHANCED ATTESTATIONThe purpose of attestation is to collect measurement values of the RT and verify these values. When getting real-timemeasurement values, we compare them with the baseline values that we obtained in clean state and then decide whetherthey are trustworthy. Current remote attestation such as OAT,cannot guarantee its own security [13]. In order to solve thisproblem, we present a new remote attestation method combinewith Intel SGX base on TLS. The main process of our remoteattestation is depicted as follows.1) RT RAS: Request connection. RT initiates a connectionrequest to RAS.2) RAS RT: MSG1. MSG1 cert. RAS receives the RT’sconnection request and sends its own certificate to RT.3) RT RAS: MSG2. MSG2 pk1. RT generates the ECCkey pair pk1, priv1, and sends pk1 to RAS.4) RAS RT: MSG3. MSG3 pk2 quotetype policy Sign(pk1,pk2) MAC(pk2 quotetype policy Sign(pk2,pk1)). RAS generates the ECC key pair pk2,priv2. Choosing the type of quote and the measurementpolicy it needs, using the private key to generate signature of pk1 and pk2. By DH protocol and ECC nature,RAS can get sharedkey, and use sharedkey to generate message authentication code. Send all of the aboveinformation to RT.5) RT RAS: MSG4 MSG4 E(quote measurement hash(quote measurement)). RT gets MSG3, generates quote according to the quote type and generates measurement according policy. Then, RT generatesthe hash of quote and measurement. Finally, RT usesthe sharedkey to encrypt the above and sends itto RAS.Finally, RAS receives the encrypted result which will bedecrypted and checked in an enclave. If the measurementresult and quote fit in with the security requirement, RAS willvalidates the RT as a trusted terminal.The advantage of this attestation mechanism is that weuse the SGX to achieve the double-sided attestation basedon enclave and SGX remote attestation. So both session andattestation process are securely protected.VII. I MPLEMENTATION AND E VALUATIONA. Implementation DetailsWe implemented our method on a computer with an IntelSkylake processor i7 6700 and memory of 8 GB. The operatingsystem we use is Ubuntu 14.04/64 bits and the compiler weuse is g version 4.8.4.We use the library libsgx urts offered by SGX toimplement enclave creating and destroying. SGX provides atool called Edger8r, it can divide our program into trustedFig. 4.Time cost between measurement program in enclave and outside.and untrusted parts according to the EDL file which is written by us. Furthermore, it generates the proxy port so thatthe trusted and untrusted part of the program can use enclavecall (ecall) and out call (ocall) to communicate with eachother.SGX provides a cryptographic algorithm librarySGX tcrypto. It supplies some common algorithmsuch as SHA256, ECC256, and AES. The public keycryptographic algorithm we used in this paper is ECC256.We use sgx ecc256 create key pair() to generatethe key pair in enclave and we use the SHA256 as hashalgorithm. As for the important random numbe

88 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 1, JANUARY 2018 Enabling Security-Enhanced Attestation With Intel SGX for Remote Terminal and IoT Juan Wang, Member, IEEE, Zhi Hong, Yuhan Zhang, and Yier Jin, Member, IEEE Ab